This site may earn affiliate commissions from the links on this page. Terms of use.

Platform shoes and bellbottoms may still be going strong, but at least one innovation from the 1970s is running out of steam. In 1977, the National Bureau of Standards (NBS), later to become the National Institute of Standards and Technology (NIST), introduced the Data Encryption Standard (DES), a method for encrypting electronic information so it couldn't be read by interlopers. Any company charged with encrypting data on behalf of the federal government was required to use the standard, and because the government has always purchased on such a large scale, most of the computer industry quickly adopted the standard, using it to secure everything from ATM transactions to e-mail. In early 1998, however, the Electronic Frontier Foundation (EFF), a civil liberties organization based in San Francisco, built a $250,000 machine that could break the DES code in 56 hours, proving that much of the country's important data was at risk.

"A $250,000 machine is within the price range of organized crime, rogue governments, and so on," says Susan Landau, a senior staff engineer at Sun Microsystem's Sun Labs who recently published an article concerning DES for Notices of the American Mathematical Society.

The DES algorithm uses a 56-bit key, meaning the number needed to decrypt each piece of data is 56-bits long, and the EFF machine was able to break the code using what cryptanalysts call a brute force attacktrying every possible key until the correct one is found. Many companies had adopted so-called triple DES, encrypting each piece by running the DES algorithm three times in succession, but this only makes the code twice as difficult to breaknot three times as difficultand makes encryption much more time consuming.

"You'd think that triple DES is 168-bit secure, but it actually gives only 112-bit security because you can do something called a meet-in-the-middle attack," continues Landau. "And, because DES just wasn't designed for today's computer processes, it just works too slowly."

So NIST decided a new standard was in order, asking mathematicians from across the globe to suggest faster, more secure algorithms. Fifteen different algorithms were submittedonly one coming from the United Statesand by the summer of 1999, NIST had selected five finalists. Finally, this past November, the organization introduced the Rijndael encryption algorithm, submitted by a team of Belgian mathematicians, as the successor to DES. The Advanced Encryption Standard (AES) was born.

Instead of adhering to a single key length, AES can use keys ranging from 128- to 256-bits, and increasing the key length makes your data exponentially more secure. Despite being more difficult to break, AES encryption is also significantly faster than its predecessor. Today, DES or triple-DES is still used by most industries to encrypt electronic data. "Web browsing and cable television aside," says Landau. "DES is the algorithm of choice." It's used by banking networks, ATM cards, smart cards, and secure telephonesto name a few.

AES is slowly growing in the market, and a growing number of people are analyzing it. "The more people that analyze an algorithm, the more people that try to break it, the more comfortable people feel with it," says Rob Gagne, chief technology officer for Atabok, which has starting to use AES in its e-mail encryption platform, VCNMail.

Eventually AES will be as widely used as DES. AES is not only in Atabok's software but also in the BasicCard ZC4.5A, a Smart Card offered by German company ZeitControl cardsystems GmbH. "AES gives security and more speed than DES," says Michael Petig, head of software development at ZeitControl. "Speed is big requirement for smart cards, where you have low memory and low calculation power."

When will AES fully saturate the market? "It will be awhile before it's really built into the infrastructure," says Landau. "I'd suspect that within the next couple of years we will see widespread use."